Disable auth-source-pass-extra-query-keywords by default

* doc/misc/auth.texi: Mention subdomain matching in
`auth-source-pass-extra-query-keywords' section.
* etc/NEWS: Mention the loss of traditional auth-source-pass features
when `auth-source-pass-extra-query-keywords' is enabled.
* lisp/auth-source-pass (auth-source-pass-extra-query-keywords): Set
default to nil.  Mention domain matching in doc string.
(auth-source-pass--match-regexp): Allow username to contain "@".
* lisp/erc/erc-compat.el:
(erc-compat--29-auth-source-pass--retrieve-parsed): Adjust regexp.
* test/lisp/auth-source-pass-tests.el
(auth-source-pass-extra-query-keywords--suffixed-user): make plain
username more email-like.
(Bug#58985.)

5 files changed, 26 insertions, 23 deletions

diff --git a/doc/misc/auth.texi b/doc/misc/auth.texi
index 872e5f88f55..83728be0a54 100644
--- a/doc/misc/auth.texi
+++ b/doc/misc/auth.texi
@@ -560,11 +560,12 @@ favors the @samp{rms@@gnu.org.gpg} form for usernames over the
 param was provided.
 
 In general, if you prefer idiosyncrasies traditionally exhibited by
-this backend, such as prioritizing field count in a filename, try
-setting this option to @code{nil}.  But, if you experience problems
-predicting the outcome of searches relative to other auth-source
-backends or encounter code expecting to query multiple backends
-uniformly, try flipping it back to @code{t} (the default).
+this backend, such as prioritizing field count in a filename or
+matching against subdomain labels, keep this option set to @code{nil}
+(the default).  But, if you experience problems predicting the outcome
+of searches relative to other auth-source backends or encounter code
+expecting to query multiple backends uniformly, try flipping it to
+@code{t}.
 @end defvar
 
 @node Help for developers
diff --git a/etc/NEWS b/etc/NEWS
index 7b64752f46c..0ffc849feca 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -1410,7 +1410,8 @@ database stored on disk.
 *** New user option 'auth-source-pass-extra-query-keywords'.
 Whether to recognize additional keyword params, like ':max' and
 ':require', as well as accept lists of query terms paired with
-applicable keywords.
+applicable keywords.  This disables most known behavioral quirks
+unique to auth-source-pass, such as wildcard subdomain matching.
 
 ** Dired
 
diff --git a/lisp/auth-source-pass.el b/lisp/auth-source-pass.el
index dc274843e10..74d38084480 100644
--- a/lisp/auth-source-pass.el
+++ b/lisp/auth-source-pass.el
@@ -55,12 +55,13 @@
   :type 'string
   :version "27.1")
 
-(defcustom auth-source-pass-extra-query-keywords t
+(defcustom auth-source-pass-extra-query-keywords nil
   "Whether to consider additional keywords when performing a query.
 Specifically, when the value is t, recognize the `:max' and
 `:require' keywords and accept lists of query parameters for
-certain keywords, such as `:host' and `:user'.  Also, wrap all
-returned secrets in a function and forgo any further results
+certain keywords, such as `:host' and `:user'.  Beyond that, wrap
+all returned secrets in a function and don't bother considering
+subdomains when matching hosts.  Also, forgo any further results
 filtering unless given an applicable `:require' argument.  When
 this option is nil, do none of that, and enact the narrowing
 behavior described toward the bottom of the Info node `(auth) The
@@ -110,7 +111,7 @@ HOSTS can be a string or a list of strings."
 (defun auth-source-pass--match-regexp (s)
   (rx-to-string ; autoloaded
    `(: (or bot "/")
-       (or (: (? (group-n 20 (+ (not (in ?\  ?/ ?@ ,s)))) "@")
+       (or (: (? (group-n 20 (+ (not (in ?\  ?/ ,s)))) "@")
               (group-n 10 (+ (not (in ?\  ?/ ?@ ,s))))
               (? ,s (group-n 30 (+ (not (in ?\  ?/ ,s))))))
            (: (group-n 11 (+ (not (in ?\  ?/ ?@ ,s))))
diff --git a/lisp/erc/erc-compat.el b/lisp/erc/erc-compat.el
index 66a9a615e32..abbaafcd936 100644
--- a/lisp/erc/erc-compat.el
+++ b/lisp/erc/erc-compat.el
@@ -176,7 +176,7 @@ If START or END is negative, it counts from the end."
 ;; This hard codes `auth-source-pass-port-separator' to ":"
 (defun erc-compat--29-auth-source-pass--retrieve-parsed (seen e port-number-p)
   (when (string-match (rx (or bot "/")
-                          (or (: (? (group-n 20 (+ (not (in " /@")))) "@")
+                          (or (: (? (group-n 20 (+ (not (in " /:")))) "@")
                                  (group-n 10 (+ (not (in " /:@"))))
                                  (? ":" (group-n 30 (+ (not (in " /:"))))))
                               (: (group-n 11 (+ (not (in " /:@"))))
diff --git a/test/lisp/auth-source-pass-tests.el b/test/lisp/auth-source-pass-tests.el
index 6e6671efca5..1107e09b51b 100644
--- a/test/lisp/auth-source-pass-tests.el
+++ b/test/lisp/auth-source-pass-tests.el
@@ -697,29 +697,29 @@ machine Libera.Chat password b
 ;; with slightly more realistic and less legible values.
 
 (ert-deftest auth-source-pass-extra-query-keywords--suffixed-user ()
-  (let ((store (sort (copy-sequence '(("x.com:42/bar" (secret . "a"))
-                                      ("bar@x.com" (secret . "b"))
+  (let ((store (sort (copy-sequence '(("x.com:42/b@r" (secret . "a"))
+                                      ("b@r@x.com" (secret . "b"))
                                       ("x.com" (secret . "?"))
-                                      ("bar@y.org" (secret . "c"))
+                                      ("b@r@y.org" (secret . "c"))
                                       ("fake.com" (secret . "?"))
-                                      ("fake.com/bar" (secret . "d"))
-                                      ("y.org/bar" (secret . "?"))
-                                      ("bar@fake.com" (secret . "e"))))
+                                      ("fake.com/b@r" (secret . "d"))
+                                      ("y.org/b@r" (secret . "?"))
+                                      ("b@r@fake.com" (secret . "e"))))
                      (lambda (&rest _) (zerop (random 2))))))
     (auth-source-pass--with-store store
       (auth-source-pass-enable)
       (let* ((auth-source-pass-extra-query-keywords t)
              (results (auth-source-search :host '("x.com" "fake.com" "y.org")
-                                          :user "bar"
+                                          :user "b@r"
                                           :require '(:user) :max 5)))
         (dolist (result results)
           (setf (plist-get result :secret) (auth-info-password result)))
         (should (equal results
-                       '((:host "x.com" :user "bar" :secret "b")
-                         (:host "x.com" :user "bar" :port "42" :secret "a")
-                         (:host "fake.com" :user "bar" :secret "e")
-                         (:host "fake.com" :user "bar" :secret "d")
-                         (:host "y.org" :user "bar" :secret "c"))))))))
+                       '((:host "x.com" :user "b@r" :secret "b")
+                         (:host "x.com" :user "b@r" :port "42" :secret "a")
+                         (:host "fake.com" :user "b@r" :secret "e")
+                         (:host "fake.com" :user "b@r" :secret "d")
+                         (:host "y.org" :user "b@r" :secret "c"))))))))
 
 ;; This is a more distilled version of `suffixed-user', above.  It
 ;; better illustrates that search order takes precedence over "/user"